If the transaction being removed is the first item in the list
of transactions then we need to update the pointer to the head
of the list so it does not have a stale reference.

This is an attempt to fix the tsilo crashes we've been seeing. The crashes occur in ts_onreply while iterating over the transactions to remove the transaction for the TMCB_DESTROY callback. One of the transaction pointers is not a valid shared memory address and the process crashes.

This crash results in the main kamailio process getting a SIGCHILD signal and it tries to shut down. This reaches code to free the transactions and it crashes in free_ts_urecord while trying to free the same transaction.

Inspecting code I can't tell how remove_ts_transaction resets urecord->transactions to be the head of the list of the first transaction to be removed is the first item in the list. This would leave a dangling pointer there and seems likely to be the cause of the crash.

You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/311

Commit Summary

• Change remove_ts_transaction so it updates head pointer of list

File Changes

• M modules/tsilo/ts_hash.c (4)

Patch Links:

• https://github.com/kamailio/kamailio/pull/311.patch
• https://github.com/kamailio/kamailio/pull/311.diff

—
Reply to this email directly or view it on GitHub.